Release Notes Version 3.5.x

Version 3.5.16 (released 2022-01-31)

• Firefox fixes included in v3.6.5 and v3.6.6.
• Updating LiquidFiles will also update the underlying system. Installing this update will ensure you have installed a fix for CVE 2021-4034 (PwnKit).

Version 3.5.15 (released 2021-11-16)

• Security: Additional fix for the privilege escalation issue fixed in v3.5.14.

Version 3.5.14 (released 2021-11-11)

• Security: Fixed a privilege escalation issue where User Admins and Admins could elevate their privileges to Sysadmins.

Version 3.5.13 (released 2021-09-13)

• Fixed an issue where sometimes when manually updating LiquidFiles, it wouldn't redirect to the update page.
• Updated Content-Security-Policy Frame-Ancestor in-line with a recent Chrome update (only affects if you're using LiquidFiles loaded in a frame).

Version 3.5.12 (released 2021-08-25)

• Security. Fixed an issue where a an attacker with a specially crafted response could bypass the account verification process when registering for an account.

Version 3.5.11 (released 2021-08-23)

• Added warning that v3.6 won't support Internet Explorer and Microsoft Edge Legacy.
• Fixed FTPdrop upload issue when max file size larger than 1GB.
• Only expire empty directories from FTPdirs.
• Fixed an issue that wasn't logging when a zip'd folder was downloaded from a Share.
• Delete temporary users when a user registers for an account.
• Redirect to the correct URL after creating a FTPdir.
• Internal fixes.

Version 3.5.10 (released 2021-05-27)

• Security: Fixed an issue it was possibly to bypass FileLink authentication with a specially crafted URL.
• Security: Fixed an issue it was possibly to bypass Message authorization for logged in users with a specially crafted URL.
• Security: Removed Webserver and FTP server basic identifications.
• Fixed an issue where filenames with commas would generate html escaped syntax in csv downloads.
• Fixed an issue where using SAML in the Outlook plugin for a user with the API disabled would still return an API key.
• Fixed size calculation for partial uploads.
• Account Filedrop column headers where in the wrong order.
• Updated Ruby on Rails.

Version 3.5.9 (released 2021-05-13)

• Added function to convert Certificates and remove Private Key Encryption.
• Support for SAML API (Outlook plugin) authentication.
• Ensure that the weekly maintenance doesn't delete recently uploaded unsent files.
• Fixed an issue where the wrong Content-Type could be set when multiple files was uploaded at once.
• Fixed an issue where renaming files in Shares multiple times could remove the file.
• Fixed an issue where X-Forwarded-For headers with port numbers correctly sets the client IP address.
• Fixed potential move server migration issues.

Version 3.5.8 (released 2021-04-21)

• Fixed an issue with auto-updates.
• Fixed a couple of upload issues where uploads would sometimes hang at the end of uploads and not show as completed.
• Reworked uploads from not logged in users (Filedrops, ...) to avoid potential race conditions.
• Better handling of reuploading files that had already been uploaded but not processed.
• Disable the submit button on the message when additional files are being uploaded.
• Ensure pool files are not deleted.
• Added function to remove all partially uploaded files at once in Admin → System → Attachment Queue.
• Fixed an issue where XML files couldn't be uploaded in a Filedrop.
• Fixed URL redirection issues when using http behind a https enabled reverse proxy.
• Added function to automatically reboot LiquidFiles after an update if required.
• Fixed an issue that would sometimes return multiple search results that should have been a single result.

Version 3.5.7 (released 2021-03-30)

• Fixed an issue where strong auth username could be reset from LDAP if not set.
• Permit larger (2GB+) FTPdir Quotas.
• Stronger relay settings for Emaildrops.
• Added route interface validation.
• Force Sms Auth Config to begin with http/https
• Remove old temporary directories as well as files.
• Fixed an issue where some systems had incorrect external group configuration, causing them to require licenses.
• Display the Strong Auth inherit correct in the Admin → Users list view.

Version 3.5.6 (released 2021-03-19)

• Better license description in the daily email.
• Better description of the System Administrator fallback password requirement.
• Fixed a problem where FTP quotas wasn't enforced.
• Updated HTML editor (menus work as expected now).
• Create favicon.png if favicon.ico exists - v3.5 uses favicon.png as favicon.
• Fixed an issue moving files and folders.
• Fixed an issue reporting files to large if trying to upload a file larger than the limit.
• Only show autosend option if it's available.
• Added option to remove ftp brute force blocking.
• Treat zip downloads some as non-zip downloads when calculating downloads when owner downloads their own files.

Version 3.5.5 (released 2021-03-05)

• Fixed an issue where uploading a folder of files to a share wasn't working.
• Fixed an issue where the auto-send when uploaded on the Compose Message page wasn't working.

Version 3.5.4 (released 2021-03-04)

• Fixed an issue updating branding on non-default domains.
• Fixed an issue where the original sender was listed in the email when replying to a private message instead of the user replying.
• Added description, revision and quota when viewing a share using the API.
• Fixed an issue where the valid recipients wasn't working properly when the setting only permit to send to existing users was enabled.
• Added SMS auth timeout.
• Show blocked extensions on the message compose page when selected.
• Domain Admins couldn't access some pages they should be able to.
• Fixed an issue searching LDAP groups that would incorrectly report an SSL error.
• Accept Cookies wasn't saved properly.

Version 3.5.3 (released 2021-02-22)

• Fixed an issue where uploading large files using User Filedrops with email addresses didn't work properly.
• Fixed a text parsing issue where for instance LDAP group names with spaces wouldn't be saved correctly.
• Fixed an issue where downloading html files would trigger two download actions so expires_after limitations would be incorrect.
• Updated the update page to make it clearer.
• Fixed an issue where /login wasn't accessible.
• Fixed an issue where some FileLink attributes wasn't updatable.

Version 3.5.2 (released 2021-02-18)

• Fixed an issue where FileLinks could select multiple files (only the first one got used).
• Fixed an issue with the daily status email that sometimes wouldn't get sent.
• Tightened the Content-Security-Policy for the image policy.

Version 3.5.1 (released 2021-02-16)

• Remove Temporary User entries for an email if a user with that email is created.
• Fixed an issue with branding uploading transparent PNGs that didn't retain their transparency.
• Added attachment download URL to the messages API.
• Fixed an issue where it wasn't possible to change Admin domain for multi-domain setups.
• Don't BCC previous recipients when replying.
• Added function to generate SHA-256 fingerprint for SAML certificates.
• Fixed an issue where some log messages wasn't written to the database.
• Added FTP/SFTP Max Login Attempt configuration and changed the brute force blocking to a connection rate limiter.
• Fixed an issue where Two-Factor authentication network override sometime wasn't working.
• Updated version of Ruby on Rails.

Version 3.5.0 (released 2021-02-04)

• Version 3.5.0, please see the major change list below to see what's changed since v3.4.x.

Major changes from version 3.4 to version 3.5

In general, LiquidFiles v3.5 has focused on improving existing features and adding a few things that really should have been in the product a while but for various reasons haven't been added until now.

• Support for Upload Resume. If an upload is interrupted, using an updated upload mechanism, uploads will now resume from the last completed 100MB chunk.
• Session Timeouts — defaulting to 60 minutes.
• Accept Cookie Alert. You can now enable to show an alert that cookies will be used when accessing LiquidFiles.
• Rearchitected the Branding configuration making it much easier to add logos and update things like the menubar, email footers and favicons.
• Temporary Users — replacing Access Passes from v3.4.
• Strong Authentication Exclude Networks — if you want to enable Strong Authentication and not require it from the local corporate network.
• Remember Strong Authentication — so that users only have to enter strong authentication every 2 weeks.
• Require SAML — you can now require a group of users authenticating using SAML.
• Redirect user to the SAML server if they don't exist but their email domain matches the match email domain attribute for a group that requires SAML authentication.
• LDAP Lookup Only. Since SAML is not a direct replacement for LDAP you can now do user lookups via LDAP and not use LDAP for authentication.
• SAML group match. If your SAML server sends the memberOf SAML attribute, you can now match groups of users using this attribute to automatically assign users to groups using SAML.
• SAML attributes updates existing account information.
• Sysadmins are now required to have a local fallback password. If you have sysadmins that authenticate using LDAP and the LDAP authentication fails, a sysadmin can authenticate using their local fallback password and update the LDAP settings as required.
• When resetting a password, all other user sessions for that user id will be invalidated.
• Updated the Admin → System → License Page, making it easier to replace license keys.
• Added Ldap attributes for phone number and strong auth username.
• Added SAML2 Azure configuration setting.
• Restrict Emaildrops to only use the systems Public Hostname as email recipient domain.
• Make Reply (as opposed to Reply-All) the default Message Reply function.
• Fixed a security issue where a custom crafted locale file could access system resources.
• Lots of internal fixes and improvements.
• Updated Ruby, Nginx, PostgreSQL and other depencies and libraries to later versions.